There was an interesting piece of news this week from the NCC Group plc, an information assurance specialist that provides software Escrow services amongst other things.
It's their impression that software risk is too low on the corporate agenda, and they back up this view with analysis of the use of Escrow amongst leading UK companies. Escrow is where software source code is stored with a 3rd party (such as NCC) and released in the event of certain circumstances, such as the vendor going out of business.
If a company is in the FTSE-100, there is an 82% probability that they will have Escrow in place for at least one piece of software they use.
However, if you expand that analysis to the FTSE-350, the number of 'yes' responses drops to 54% which means that 46% of the richest 350 companies in the UK don't have any "break glass in emergency" strategy for their software.
One has to imagine that this can only get more skewed towards "no Escrow in place" as one goes further down the scale of company value.
Of course, a solution to this is to include source code access for customers along with every license sold. It can be argued that "source code included" is an even better disaster recovery strategy because it does not require vendor business failure before the buyer is free to study the code. That's what happens with CogniDox.